Navigating the Festive Cyber Landscape: Ensuring Online Safety during Holiday Shopping

Tahawultech.com spoke to cybersecurity industry frontrunners to learn more about the pitfalls of online shopping and  tips to shop safely this holiday season.

The holiday season brings not only joyous festivities but also a surge in online shopping. As consumers eagerly embark on the quest for the perfect gifts, the virtual marketplace becomes a bustling hub of activity. However, amidst the festive cheer and the convenience of online shopping, there exists a pressing need to prioritize cybersecurity and stay vigilant against potential threats.

The holiday season witnesses a substantial increase in online transactions, making it an opportune time for cybercriminals to exploit unsuspecting shoppers. With an array of enticing deals and promotions flooding the internet, the risk of falling victim to scams, phishing attacks, and identity theft becomes ever more prevalent. As the digital realm transforms into a vibrant marketplace, it is imperative for individuals to arm themselves with knowledge and adopt proactive measures to ensure a secure online shopping experience.

One of the primary concerns during holiday shopping is the proliferation of fraudulent websites and phishing scams. Cybercriminals often create deceptive platforms that mimic legitimate online stores, enticing shoppers with irresistible discounts. Unwary customers, in their pursuit of attractive deals, may unwittingly divulge sensitive personal information, such as credit card details and addresses, falling prey to identity theft and financial fraud. Recognizing the signs of a trustworthy website, verifying the site’s security protocols, and refraining from clicking on dubious links are critical practices that can safeguard users against these nefarious tactics.

Moreover, the prevalence of malware-laden advertisements and fake apps further underscores the need for heightened awareness. Cyber attackers employ sophisticated techniques to infiltrate devices through seemingly harmless applications or advertisements, jeopardizing the security of personal data. Shoppers must exercise caution, only downloading apps from official sources and refraining from clicking on suspicious ads. Employing reputable antivirus software and regularly updating security systems are additional measures that form a robust defense against malware threats.

The essence of secure online shopping extends beyond individual responsibilities to the broader e-commerce landscape. Retailers, too, play a pivotal role in fostering a safe digital environment. Implementing robust encryption measures, securing customer databases, and educating users about online safety are initiatives that contribute to the overall resilience of the online shopping ecosystem.

In this era of digital connectivity, where the allure of online shopping is irresistible, prioritizing cybersecurity during the holiday season is not merely a suggestion but a necessity. By adopting a proactive approach, staying informed about potential risks, and implementing best practices, consumers can revel in the convenience of virtual shopping without compromising the security of their personal and financial information. As the festive spirit permeates the digital realm, let us ensure that the joy of giving is not overshadowed by the looming threats in the cyber landscape.

Here’s what cybersecurity leaders have to say:

Chester Wisniewski, Director, Field CTO, Sophos

Use an ad blocker – Advertisements are not only tracking your every movement and collecting enough information on your habits to make the FBI blush, but they are also a major source of malicious links and deceptive content on the internet. Not only is your browsing safer, but also faster and uses less bandwidth. Two of our favorites are uBlock Origin and Ghostery.

Use private browsing or incognito mode – To prevent your shopping habits and interests from following you around from site to site (and potentially revealing what gifts you might be purchasing to others using your device, bonus!), you should enable private browsing (Firefox) or incognito mode (Chrome). This will block tracking cookies and help the internet forget your travels as the waves wash away your footprints in the sand.

Make your browser “privacy smart” – The Electronic Frontier Foundation (EFF) provides a browser extension called Privacy Badger designed to automatically make all the right choices around browsing whilst maintaining our privacy and blocking invisible trackers.

Avoid using one account on multiple services – When logging into an e-commerce site it is often tempting to use the “Sign in with Facebook” or “Sign in with Google” button. While it takes a few more minutes to create a new login, it will provide more privacy as you are not sharing all of the sites you shop at with these tech giants.

Use guest login when available – In addition to letting you use an account from other websites, many have an option to use a guest login rather than creating a new account. This is a great option if you don’t expect to need technical support or to do business on a recurring basis. Fewer passwords, fewer personal details, fewer problems if they get hacked.

Don’t save card details – Many e-commerce sites will default to storing your credit card information in your profile for your “convenience” (or their hope you’ll shop there again). They can’t lose what they don’t have, so tell them not to store your credit card unless it is absolutely necessary.

Use temporary card numbers – Many financial institutions now offer temporary or one-time use credit card numbers. You can open the app on your phone or in your browser and get a single-use disposable credit card number preventing card fraud and tracking when merchants share card processors. Sometimes you’re even able to specify a card limit per temporary number to further protect your account.

Use credit, not debit – All of us need to be wary of overspending during the holidays, but it is best to leave the debit card at home. Credit cards offer significantly more protection against online fraud, and you are in the power position in a dispute. You can simply not pay your bill while disputing the charge, rather than having criminals directly drain your bank account of your hard-earned cash.

Ezzeldin Hussein, Regional Director, Sales Engineering – SentinelOne

Email Scams & Social Engineering

Email phishing scams involving deceptive messages that appear as legitimate promotional offers or urgent notifications are designed to trick recipients into revealing sensitive information or tempt them into downloading malware. Social engineering plays a pivotal role, manipulating shoppers to divulge personal details or click on malicious links.

Email scams often involve gift card fraud with scammers coercing victims to purchase gift cards under the guise of resolving issues, subsequently taking off with the funds. Fake order confirmations are also common, often including convincing logos and graphics to trick shoppers into clicking on malicious links.

Social media platforms are also breeding grounds for scams, with fake advertisements, pyramid schemes disguised as gift exchange games, and too-good-to-be-true deals leading users to spoofed websites.

Spoofed Websites, Malvertising & E-Skimming

Major discounts create a prime hunting ground for threat actors employing sophisticated techniques such as spoofed websites, malvertising, and e-skimming to exploit unsuspecting shoppers.

Spoofed websites mimic legitimate online retailers, leading users to unwittingly share personal and financial information. Malvertising infiltrates legitimate advertising networks, placing malicious ads on seemingly trustworthy websites and compromising the user’s device upon interaction. E-skimming involves the malicious injection of code into online payment forms, enabling cybercriminals to intercept and steal sensitive payment information during transactions.

Credit Card & Identity Fraud

Threat actors take advantage of the busyness of the holiday period to steal credit card details and digital identities. Credit card fraud involves the unauthorized use of credit card information for illicit transactions, often through compromised online platforms. Identity fraud, on the other hand, entails the theft of personal information to impersonate individuals for fraudulent activities.

Magecart malware, for example, is a malicious script that infiltrates and compromises eCommerce websites to harvest sensitive information, primarily credit card details and other personal data.

The malware intercepts and captures user input, such as credit card information entered during online transactions, without the knowledge of the website owner or the unsuspecting users. The harvested data is exfiltrated to remote servers controlled by cybercriminals, who can exploit it for various fraudulent activities, including unauthorized transactions and identity theft.To protect against credit card and identify fraud.

Satnam Narang, Senior Staff Research Engineer at Tenable

“Often, scams that appear during these holidays may be riddled with inaccuracy in spelling and grammar, but the availability of generative AI closes the gap between the novice scammer with poor spelling and grammar and gives them a competitive edge they’ve never had before. Scammers will use these tools this year as part of their scams and will find more success than in years past.”, Satnam Narang, Senior Staff Research Engineer.

One byproduct of the gold rush in generative AI is the push across a variety of mediums, including in video, to help drive improvements to things like deep fakes. Earlier this year, Tenable senior staff research engineer, Satnam Narang, discovered how MrBeast, the biggest YouTube star in the world with over 188 million subscribers, was impersonated on TikTok to promote a fake iPhone 15 giveaway. The deepfake was a big improvement over what we’ve seen in the past. During this holiday season, it is not unexpected to witness scammers capitalizing on the popularity of MrBeast and other social media influencers to promote giveaways and scams.

An old tactic that remains prevalent each year is the promotion of free gift cards for $500-1000 to various brands, from Apple and Sephora to Cash App and Spotify, on various social media platforms including Instagram and TikTok. These gift cards aren’t free, as they require users to reveal personal information and purchase premium offers, such as free trials, which will cost them money in the long run if they don’t follow the fine print and cancel.

Social media is the perfect place to catch distracted users off guard. Today, cybercriminals can begin their scams on one social network and drive users to another one. Fake profiles are rampant and scammers can create hundreds of accounts to legitimize their scams. These existing tactics combined with the current boom of generative AI and use of deep fakes creates a dangerous situation for users, added Satnam Narang.